MikroTik

Dear all,
thanks in advance for any support

Following my scheme:

RB with 2 different hotspot on the same machine
ether1 connected to the Radius with 2 LAN IP of the same subnet (192.168.1.1/24 and 192.168.1.2/24)
Radius client on RB set to speak with RADIUS Server

Actually, each RADIUS accounting request from hotspot go out with 192.168.1.1 as NAS-IP-Port, but I need that all request from hotspot1 goes out with 1.1 and request from hotspot2 goes out with 1.2 (my RADIUS Server use NAS-IP-Port to check validity of user in his domain).

I've also tried with src-nat, masquerading or mangle with Routing Mark, but anything of these works correctly and every RADIUS request goes out with the fist IP address set on ether1.

There is anyway to masquerade RADIUS request by its source?

I think you shouldn't try to run both hotspots on the same logical interface / same IP subnet.

What are you trying to accomplish?
State your broad design goal and perhaps there's a solution that will work with less effort.

What are you trying to accomplish?
State your broad design goal and perhaps there's a solution that will work with less effort.

Thank you for your reply ZeroByte.

Basically, I need to run 2 different hotspot server on the same RB that has a common RADIUS Authenticator but an isolation between them based on different domains.

My RADIUS configuration allow user to be valid only in its domain and the domain was a container of users + hotspot; then, only users part of domain A can authenticate on hotspot configured as part of domain A and viceversa.

I've a single ether port connected to the same RADIUS LAN and the only way I've to isolate user's request is based on its NAS-IP-Port source, but I cannot find any way to select which IP assigned on this Ethernet could be assigned to every RADIUS request (based from hotspot source).

Basically, I'm find a way to manipulate NAS-IP-Port on RADIUS request from Mikrotik to RADIUS, but after some days of heavy work, I think that the best way is try to subnetting the /24 class and set 2 IP of /25 or /28 and create 2 virtual interface on RADIUS server to reply on both subnet separated, in order to use standard IP route to choose rigth source IP from ethernet IP address pool.

This sounds overly complicated to me.

Why not just have the users specify their domain as part of the login?
(i.e. require user@example.com or user@example.org) and whatever they specify as the domain is going to call your appropriate realm on the RADIUS server? That way, you can have bob@example.com and also bob@example.org with their own separate credentials and accounts, and not need to worry about overlapping user ID name space. Make the default realm be a deny-all realm so that nobody can just type "bob" into the login screen.

How are you forcing the users of the two different domains to hit the two different IP addresses on the same hotspot interface? Certainly a user of domain A could hit the IP of domain B's hotspot by some means, given that they're apparently in the same physical ethernet broadcast area.

The easiest way to achieve what you want is to use two hotspot profiles, with two DHCP pools, and use Location ID or Location Name to tell between the two at the RADIUS server. The other way is to differentiate based on Framed-IP-Address but that depends on what RADIUS server you have - I use Radiator which is Perl-based and extremely flexible.

In the past I have used two hotspot servers on the same interface with one RADIUS server, but they were setup to hand out different IPs from two pools, one was standard auth and the other EAP-SIM (two SSIDs too).

Thank you ZeroByte and flameproof for your suggestions, I will try both way and I'll keep you update about it.

The easiest way to achieve what you want is to use two hotspot profiles, with two DHCP pools

Hi all, finally I choose to follow this way, using 2 different hotspot profile with 2 different DHCP pool and set my RADIUS to reply with the correct framed-pool.

In this way, I've isolated the 2 hotspot user group and both work well.

Thank you for your support my friends